开发者

Using tokens assigned from an STS to call a WCF service

I've been staring at this all day to no avail and I'm out of ideas. The IP-STS handles the login then passes it down to the RP-STS which fills the token with claims and then onto the Website. this works correctly. I have some WCF functions on the IP-STS such as change password/reset password and need to access them. Having read around I should be able to send the token already assigned through to the WCF to ensure the user is authenticated. From what I can see it is sending the token but not correctly and also not in the way that I want as it seems to need a username at the moment.

Ideally I want it to take the token assigned to the user and not have to re-request or re-create anything and definatly not any need for username/password.

The error I am currently getting is: An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail.

Detail: The message could not be processed. This is most likely because the action 'http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue' is incorrect or because the message contains an invalid or expired security context token or because there is a mismatch between bindings. The security context token would be invalid if the service aborted the channel due to inactivity. To prevent the service from aborting idle sessions prematurely increase the Receive timeout on the service endpoint's binding.

Here is the relevant bits from my web configs.

client side web.config


<system.serviceModel>
<bindings>
  <customBinding>
    <binding name="UsernameBinding">          <security authenticationMode="UserNameForCertificate"                  requireSecurityContextCancellation ="false"                  requireSignatureConfirmation="false"                  messageProtectionOrder ="SignBeforeEncryptAndEncryptSignature"                  requireDerivedKeys="true">
      </security>
      <httpTransport/>
    </binding>
  </customBinding>
  <wsFederationHttpBinding>
    <binding name="HTTPEndpoint" closeTimeout="00:10:00" openTimeout="00:10:00"
      receiveTimeout="00:10:00" sendTimeout="00:10:00" bypassProxyOnLocal="false"
      transactionFlow="false" hostNameComparisonMode="StrongWildcard"
      maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text"
      textEncoding="utf-8" useDefaultWebProxy="true">
      <security mode="Message">
        <message issuedTokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"   negotiateServiceCredential="false">              <claimTypeRequirements>

            <add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" isOptional="false" />
          </claimTypeRequirements>

          <issuer address="http://localhost:13422/MembershipService" bindingConfiguration="UsernameBinding" binding="customBinding">
            <identity>
              <certificateReference findValue="STSTestCert" x509FindType="FindBySubjectName" storeLocation="CurrentUser" storeName="TrustedPeople" />
            </identity>
          </issuer>
        </message>

      </security>
    </binding>
  </wsFederationHttpBinding>
</bindings>

<behaviors>
  <!-- Credentials configuration -->
  <endpointBehaviors>
    <behavior name="ServiceBehavior">
      <clientCredentials>

        <clientCertificate findValue="STSTestCert" storeLocation="CurrentUser" storeName="TrustedPeople" x509FindType="FindBySubjectName" />
        <serviceCertificate>
          <defaultCertificate findValue="STSTestCert" storeLocation="CurrentUser" storeName="TrustedPeople" x509FindType="FindBySubjectName"/>
          <authentication certificateValidationMode="PeerOrChainTrust"  />
        </serviceCertificate>

      </clientCredentials>
    </behavior>
  </endpointBehaviors>
</behaviors>

<client>
  <endpoint address="http://localhost:13422/MembershipService"
    binding="wsFederationHttpBinding" bindingConfiguration="HTTPEndpoint"
    contract="MembershipService.IAccountMembershipService" name="HTTPEndpoint" behaviorConfiguration="ServiceBehavior">
    <identity>
      <dns value="localhost"/>
    </identity>
  </endpoint>
</client>


Service side:

<system.serviceModel>

<serviceHostingEnvironment multipleSiteBindingsEnabled="true" aspNetCompatibilityEnabled="true">
  <serviceActivations>
    <add relativeAddress="IAccountMembershipService.svc" service="AccountMembershipS开发者_JS百科ervice" factory="System.ServiceModel.Activation.WebServiceHostFactory" />
  </serviceActivations>
</serviceHostingEnvironment>

<bindings>
  <wsHttpBinding>
    <binding name="federationBinding" receiveTimeout="00:10:00" sendTimeout="00:10:00" closeTimeout="00:10:00" openTimeout="00:10:00">

      <security mode="Message">
        <message negotiateServiceCredential="true" />
      </security>
    </binding>

  </wsHttpBinding>
  <wsFederationHttpBinding>
    <binding name="federationBinding" closeTimeout="00:10:00" openTimeout="00:10:00"
      receiveTimeout="00:10:00" sendTimeout="00:10:00" bypassProxyOnLocal="false"
      transactionFlow="false" hostNameComparisonMode="StrongWildcard"
      maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text"
      textEncoding="utf-8" useDefaultWebProxy="true">

      <security mode="Message">
        <message issuedTokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1" negotiateServiceCredential="false">
          <claimTypeRequirements>

            <add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" isOptional="false" />
          </claimTypeRequirements>

          <issuer address="http://localhost:13422/MembershipService" bindingConfiguration="UsernameBinding" binding="customBinding">
            <identity>
              <certificateReference findValue="STSTestCert" x509FindType="FindBySubjectName" storeLocation="CurrentUser" storeName="TrustedPeople" />
            </identity>
          </issuer>
        </message>
      </security>
    </binding>
  </wsFederationHttpBinding>
</bindings>


<behaviors>
  <serviceBehaviors>
    <behavior name="serviceBehavior">
      <serviceMetadata httpGetEnabled="true" />

      <serviceCredentials>
        <serviceCertificate findValue="CN=STSTestCert" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectDistinguishedName"/>

      </serviceCredentials>
    </behavior>
  </serviceBehaviors>
</behaviors>

<extensions>
  <behaviorExtensions>
    <!-- This behavior extension will enable the service host to be Claims aware -->
    <add name="federatedServiceHostConfiguration" type="Microsoft.IdentityModel.Configuration.ConfigureServiceHostBehaviorExtensionElement, Microsoft.IdentityModel, Version=0.6.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
  </behaviorExtensions>
</extensions>

<services>
  <service behaviorConfiguration="serviceBehavior" name="STS.IP.Models.AccountMembershipService">
    <endpoint binding="wsFederationHttpBinding" bindingConfiguration="federationBinding" name="HTTPEndpoint" contract="STS.IP.Infrastructure.IAccountMembershipService" >
      <identity>
        <dns value="localhost"/>
      </identity>
    </endpoint>
    <!-- <endpoint binding="wsHttpBinding" bindingConfiguration="" name="HTTPEndpoint" contract="Aurora.WCFIsAlive.IIsAlive" />-->

  </service>
</services>

Sorry for the massive pastes but hopefully someone can spot my error! Am I just approaching it the wrong way?


I don't know if this is of any help, but it may be slightly related... You can reuse an issued token, this was something I did before. The scenerio I had was say a ASP.NET site or WCF service was WIF secured, but then the ASP.NET site or WCF Service needed to call another service that required SAML tokens / WIF, and so on You can reuse the token if you set WIF up to use bootstraping. As long as the 2nd web service trusts the same STS.

http://msdn.microsoft.com/en-us/library/ee517256.aspx#_bootstrap

The configuration is to set under:

<microsoft.IdentityModel><service><securityTokenHandlers>: 

this value:

<securityTokenHandlerConfiguration saveBootstrapTokens="true" /> 


card space was poping up all the time... client.ClientCredentials.SupportInteractive = false;


The Web site (that relying party that is working now) and the WCF endpoint on the IP-STS are 2 different applications. You can't reuse the same token. You should obtain a new token for the IP-STS services (e.g. renew password, etc)

In this case the IP-STS services are conceptually just another relying party (that trusts itself probably).

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜